Computerworld Canada – In the current economic climate of uncertainty and tight IT budgets, often the mistake is to assume a more tactical, rather than strategic, approach to securing the ever-increasing volume of data travelling through an organization, said an information security expert.

"We see a lot of tactical activity, and that's probably human nature to plug the obvious holes," said Jon Oltsik, senior analyst with Milford, Mass.-based research firm Enterprise Strategy Group.

Focus on encrypting disks, tapes and laptops, and preventing network data leakage are the obvious things to do, but Oltsik thinks the real struggle is that businesses are creating increasingly more data and attempting to use it in intelligent ways both internally and externally.

Organizations must think strategically by first taking "an assessment approach" by surveying their overall data, said Oltsik, for they may uncover users who have been erroneously granted access to sensitive data, or who have the ability to save sensitive data to portable media.

Purchasing tools to help manage the data must also be done strategically to get a "multiplicative" result where the total value is more than just the sum of individual systems, said Oltsik. Systems should be tightly integrated, he explained, so that they share common functions like auditing and command and control.

Besides the usual focus on backup tapes and laptops, there are other areas IT departments often miss. Vulnerable Web applications need to be secured, said Oltsik, and business processes, too, must be secured to encrypt channels that relay data to external parties like customers and partners.

Dave Bruder, president of Cincinnati, Ohio-based IT Advisor Group, a Symantec partner, agreed that, in unstable times, organizations tend to sideline strategic thinking in favour of a tactical approach. And, especially with data security, the focus must be on that data in motion, not in a state of rest, he said.

While information management used to be a lower priority for IT departments, it's now more front-and-centre given pervasive security threats and regulatory compliance demands, said Oltsik. "It's just really difficult to catch up."

In a recent survey by Cupertino, Calif.-based Symantec Corp., a mere 15 per cent of 200 IT managers polled said they would "bet their paycheque" that they could produce information required for legal discovery. "That's a pretty striking number, given that this community is the one tasked with knowing and having the infrastructure in place for providing a home for this data," said Art Gilliland, Symantec's vice-president of product management for information risk management.

Curtis Rawlings, assistant chief information officer with DeKalb County in Georgia, the local government for a little less than one million county residents, acknowledged that most of the IT effort is put towards blocking and tackling external threats, yet never with a full degree of confidence that everything is completely covered. Compounding that challenge are budget cuts and a new administration. But earning much-needed buy-in for technology purchases, too, is a hurdle, he said. "My approving body says, 'Help me understand why I should spend money on this particular system as opposed to building sidewalks or building parks,'" said Rawlings.

Miley Davis, technical systems administrator with OSF Healthcare System, said a budget freeze has left the Peoria, Ill.-based healthcare provider unable to buy new capital equipment, "so we're stuck where we're at." OSF receives a couple of requests for patient information a month, which it must produce upon demand, but doesn't yet have a system in place to facilitate that.

Moreover, Davis said the growing amount of data within the organization must be made usable to users. "We have so much data, it's everywhere."

Among the other findings of Symantec's survey of IT managers, half the respondents said their e-mail and SharePoint stores are expanding at an annual rate of more than 30 per cent. And 75 per cent said reducing the amount of storage for unstructured data is "important" to "extremely important."

The reality is that although the amount and types of data are growing, IT budgets remain flat or are shrinking, said Gilliland, and a larger percentage of IT spending must be allocated towards maintaining storage, and not improving operations.

Adding to that is external attacks have gone from "hacker vandal attacks" with intangible gains to becoming "a lot more organized around actually stealing information," said Gilliland.